Pages

Friday, May 15, 2009

SSO with SAML & ADF Security

In my previous blog I got Single Sign On working with J2EE container security. In this blog entry I got it also working with ADF Security. Just create a SAML source and destination site and follow these stepsCreate a new relying party for the ADF Security Application on the SAML source site.

Go the WLS console of the Saml source server and go to the myrealm Security RealmGo to providers -> Credential Mapping -> SAMLCredentialMapperSAMLCredentialMapper -> Managment -> new Relying Party

On the main site you can add a link to the ADF Security application like this <a href="http://localhost:7101/appC/adfAuthentication">appC</a>

And change login-conf in the web.xml of the ADF Security Application so it uses certificate auhtentication.<login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>myrealm</realm-name></login-config>

The only thing that isn't working yet is the redirecting to the success url after the succesfull authentication by the ADF Security servlet.

24 comments:

Edwin --Very helpful blogs. I had a confusion/I am not clear on how one can pass the security token from a java web application to the webserice stub that it calls -if the domains are not trusted. ie if i have cookie in my web hhtp layer, i do not want to pass it directly to the service clinet stub, but use some kind of underlying security layer so that the webservice client picks the cookie/token and send it in soap.

Hi Edwin, did you get it working to redirect to the success url after the succesfull authentication by the ADF Security servlet? As i got to the same point you did. If you did so, how can i get it? Thanks a lot!

Hi Edwin, Ur blogs have been very usefulWe need to establish a SAML SSO link between Oracle Image and Process Management(OIPM) and BPEL Workflow Human Task. We have tried ur steps however this is at the AdminServer level... How would ur steps work at the Managed Server level. Thanks

I'm trying to get an ADF application working with a WLS domain that has a SiteMinder Authentication Provider and Identity Asserter configured, similar to your SAML example. J2EE security works (eg. isUserInRole()) but ADF doesn't appear to be able to 'see' the groups/users that are populated into the Subject.

I know they are there, but the taskflows and regions I've granted to them simply won't show up when I log into the app.

I'd be very grateful if you had any thoughts. I've got a thread open on OTN here:https://forums.oracle.com/forums/thread.jspa?messageID=9949595&#9949595

I am attempting a project where I wish to integrate a secondary JEE application to leverage the security of a primary application.

I am working with Oracle Business Intelligence 11g. The installed primary application goes into the context-root /analytics. I would then like to create a secondary application that deploys to the context-root /analytics/myapp.

Is there a way to get the secondary application to know what user is logged in to the primary application if both are deployed on the same WLS server, domain, etc.?

I am creating the secondary application in ADF and I am attempting to use the ADF.shared.connection which I understand may only be available from the Oracle BI libraries.

I posted this question over on Oracle Forums and one responder even referenced your blog,https://forums.oracle.com/forums/thread.jspa?threadID=2312079&tstart=0Another responder mentioned WLS Shared Sessions. Can you provide any help on this?

Thanks Edwin, this worked fine for me. Configuring SSO with SAML and ADF security. I have followed the same steps and configuration as mentioned above.

I have one issue here and seek your help.I m trying to configure a application (which is built using ADF security) using SAML1.1. The requirement is that this desitnation application should also work as a standalone apart from getting request from the source application. I have made all changes required for SAML destination. When I am trying to access this application (as a standalone), request is getting redirected to "Source Site ITS URL" as mentioned in the asseter and expected user to key in the credentials. So thats means the application is depend on the source configuration (atleast the same user should be present at source also).

Any idea on how to bypass this? If the request is received from source then it should verfied with CLIENT-CERT other wise it should act as a simple FORM.

maybe you can make a weblogic deployment plan which can change the CLIENT-CERT value to basic. But both is not possible. Because you are using ADF you can put everything in a ADF lib ( TF, fragments and Model) and make 2 light web applications which uses the same adf libs but with different security.

Thanks Edwin.When I sent a request from appA to ADF security application (after successful login) through browser IE9, then it just stucks at security certificate warning page. I tried clicking on the continue link but still stuck at same page. It seems to me that you were also having similar problem as you have mentioned in the end of your blog.

I got this working. A simple web application (appA) can connect to appB (ADF security application) via SSO with SAML. appB application can also be accessed direclty (request may not be always from appA) and tested in 3 browsers firefox, IE, and chrome. You will experience some security certificate warning messages (as self signed certificate is not authorised by any certificate authority), you need to just accept and continue.

To access appB direclty from IE, you need to generate the certificate by giving hostname/IP address of the server (which one you use while accessing the server) as a Common Name (first name and last name parameter). Then import the generated certificate in IE under “Trusted Root Certificate Authorities”.

Thanks Edwin, I found this is for "SAMLCredentialMapper". How about the "SAML2CredentialMapper" SAML 2.0 Credential Mapping Provider? I tested with normal web app which is working. However, is there any special steps for ADF applications and ADF securities? Thanks.

ex Oracle ACE , Java Developer of the year 2009. Co-writer of the OSB Development Cookbook.I am working as a Software Architect and specialized in CI,CD, integration, middleware, security and web development.